Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp1378611imm; Sat, 4 Aug 2018 02:09:53 -0700 (PDT) X-Google-Smtp-Source: AAOMgpe01LakBemwhbrdMtZ3NMapWKn0DCtJ4a0rat0YJpTby3y6rmkOGXInPTgvna1/GosEsT9v X-Received: by 2002:a63:9e0a:: with SMTP id s10-v6mr6934583pgd.326.1533373793389; Sat, 04 Aug 2018 02:09:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1533373793; cv=none; d=google.com; s=arc-20160816; b=h+i+OeZIWKjMsnTs0fc3fmMs5oxtlHEg79qWZz1pGT8ZY1KTOOYVNDqWU+nEmr6qn4 ebz/XMS3QUmtSE5P5Ra0IrEz0kksNmkKgTLkL+6C2rdf2P7McpmDvOObA3RYyP7ObIyA 4utKEh/s0kibcoEXq5E8bvvc+05rRbA6nuzvqk9wE95oeGAHoQPrq80ZUZ8IphqRJKuX /3kPVi8/7F41GRXIJXPPp23MEQaxrsIFK1vZ+kRMXrWhuM4fTgLfIt1T0IjHbkPBEFde 0/GOikp6zdDd8IB+oB48O6WewikHB1wa09bVq4csaZIwPe/nZdAIbOVmYqpwrX14URSw pOXg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=ZOD4jh+nmqJWsUQnlraWWkcCGzHwygK15rfEHL4lS5o=; b=DeiAvXeO27UNf708tegG3cIMZAjUrEyeoS4LwM8Qb8XQ3OXhWgkpR5uSg0xAS+d1az FsghP1sy5bH4aJFXH+VW7cLYIIY6wDzfj9P4/yxcU1GacI+JwuKZVaN9WXVIq+uhAj0s Y1aiGlV+aJvceuG+Wy+Vcr58bJHyeZC2uUT30F2rX5EmwL1N6IPMSvVmfBLkL9DjMk9F ZYfPm7T/TOKZtNdDNPlkKbPDKHfsFusYpLdP55rmMCCKwI2KM1Zs4feN1ycuc3zcN4m9 shV/82gNRMf2mcvb9xTej6dL2ehAGl53UYiAiaWN89+34ZrdLIqWDfXfb6hxWEzBHWHh VhBQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id n128-v6si7608081pfn.90.2018.08.04.02.09.39; Sat, 04 Aug 2018 02:09:53 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2387450AbeHDLHF (ORCPT + 99 others); Sat, 4 Aug 2018 07:07:05 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:49304 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726754AbeHDLHE (ORCPT ); Sat, 4 Aug 2018 07:07:04 -0400 Received: from localhost (D57E6652.static.ziggozakelijk.nl [213.126.102.82]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 93C3ABCF; Sat, 4 Aug 2018 09:07:05 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Noam Rathaus , Cong Wang , Jason Gunthorpe , Sasha Levin Subject: [PATCH 4.4 017/124] infiniband: fix a possible use-after-free bug Date: Sat, 4 Aug 2018 11:00:06 +0200 Message-Id: <20180804082703.091542383@linuxfoundation.org> X-Mailer: git-send-email 2.18.0 In-Reply-To: <20180804082702.434482435@linuxfoundation.org> References: <20180804082702.434482435@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.4-stable review patch. If anyone has any objections, please let me know. ------------------ From: Cong Wang [ Upstream commit cb2595c1393b4a5211534e6f0a0fbad369e21ad8 ] ucma_process_join() will free the new allocated "mc" struct, if there is any error after that, especially the copy_to_user(). But in parallel, ucma_leave_multicast() could find this "mc" through idr_find() before ucma_process_join() frees it, since it is already published. So "mc" could be used in ucma_leave_multicast() after it is been allocated and freed in ucma_process_join(), since we don't refcnt it. Fix this by separating "publish" from ID allocation, so that we can get an ID first and publish it later after copy_to_user(). Fixes: c8f6a362bf3e ("RDMA/cma: Add multicast communication support") Reported-by: Noam Rathaus Signed-off-by: Cong Wang Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- drivers/infiniband/core/ucma.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) --- a/drivers/infiniband/core/ucma.c +++ b/drivers/infiniband/core/ucma.c @@ -217,7 +217,7 @@ static struct ucma_multicast* ucma_alloc return NULL; mutex_lock(&mut); - mc->id = idr_alloc(&multicast_idr, mc, 0, 0, GFP_KERNEL); + mc->id = idr_alloc(&multicast_idr, NULL, 0, 0, GFP_KERNEL); mutex_unlock(&mut); if (mc->id < 0) goto error; @@ -1375,6 +1375,10 @@ static ssize_t ucma_process_join(struct goto err3; } + mutex_lock(&mut); + idr_replace(&multicast_idr, mc, mc->id); + mutex_unlock(&mut); + mutex_unlock(&file->mut); ucma_put_ctx(ctx); return 0;